trustcheck is a Python package and CLI for evaluating the trust posture of PyPI releases before they are installed, promoted, or approved.
It combines PyPI metadata, vulnerability records, provenance availability, cryptographic attestation verification, Trusted Publisher identity hints, and repository matching into a single operator-friendly report.
Packages that publish no provenance are treated as needing review rather than as automatic high-risk findings, while invalid provenance, partial coverage, repository mismatches, and known vulnerabilities remain stronger negative signals.
For a selected package version, trustcheck can:
- fetch project and release metadata from PyPI
- verify published provenance against artifact digests
- surface Trusted Publisher repository and workflow identity hints
- compare expected repository input against declared and attested signals
- flag publisher drift, missing verification, and known vulnerabilities
- emit concise text output or structured JSON for automation
pip install trustcheckRequirements:
- Python
>=3.10 - Network access to PyPI
Inspect the latest release:
trustcheck inspect requestsInspect a specific version:
trustcheck inspect sampleproject --version 4.0.0Show only known vulnerabilities for a release:
trustcheck inspect sampleproject --version 4.0.0 --cveInspect a package and its direct dependencies:
trustcheck inspect sampleproject --version 4.0.0 --with-depsInspect the full transitive dependency tree:
trustcheck inspect sampleproject --version 4.0.0 --with-transitive-depsInspect every package listed in a requirements-style file:
trustcheck scan requirements.txtInspect dependencies declared in a TOML project file:
trustcheck scan pyproject.tomlRequire a release to match an expected repository:
trustcheck inspect sampleproject \
--version 4.0.0 \
--expected-repo https://github.com/pypa/sampleprojectEmit JSON for another tool:
trustcheck inspect sampleproject --version 4.0.0 --format jsonEmit combined JSON for a requirements-style or TOML file scan:
trustcheck scan requirements.txt --format jsonEmit only vulnerability records as JSON:
trustcheck inspect sampleproject --version 4.0.0 --cve --format jsonFail CI when full verification is missing:
trustcheck inspect sampleproject --version 4.0.0 --strictUse it from Python:
from trustcheck import inspect_package
report = inspect_package("sampleproject", version="4.0.0", include_dependencies=True)
print(report.recommendation)Full documentation: https://halfblood-prince.github.io/trustcheck/
- Getting started: Installation and Quickstart
- CLI usage: CLI overview, Policies, and Config and offline mode
- Integrations: JSON contract, Python API, and Compatibility
- Trust model: Verification model and repository matching
- Automation: CI integration
- Project details: Development and release process and Changelog